[00:00:00] Speaker A: Companies should only interact with trusted vendors according to their own guidelines. The threats are constantly evolving. The only way that they can make their infrastructure secure is by working with trusted partners and having constant vigilance and not assuming that what they're doing today is secure.
[00:00:25] Speaker B: This is KVC as a primary target.
[00:00:29] Speaker A: For ransomware campaigns and testing and performance risk and compliance.
[00:00:34] Speaker C: We can actually automate that, take that data and use it.
Joining me now is Leon Langley, Chief Product Officer APAC from jtech. And today we're discussing where physical security meets cyber security. So Leon, thanks for joining and welcome.
[00:00:51] Speaker A: Thank you. I'm glad to be here.
[00:00:53] Speaker C: So I want to start perhaps Leon, with your view on how physical security intersects with cyber security.
[00:01:01] Speaker A: There's a lot of intersection between physical security and cybersecurity. There's been a strong push from the physical security space to more IP devices. And I think today everything is IP based and server based. And as part of the physical security it's about protecting people assets and we gather a lot of information that are pretty sensitive on people, on the business, the activity of the business. There is also the physical security infrastructure is now very critical to operations for a lot of businesses. On top of gathering information, if those the system gets compromised, it can have a lot of adverse effect on the operations of those businesses. Definitely a big intersection in between and I need to protect that infrastructure and the data it generates. Also when it comes to physical security, I think the number of devices that actually get deployed on company premises have exploded in terms of complexity, in terms of variety as to what they do. So a good example of that is IoT devices. Most of them are IP based today. And more and more of those devices are connected to the network and can pose a significant threat to cybersecurity.
Another angle of intersection, the physical security software do not work in isolation anymore, especially in the enterprise space are connected to many enterprise wide applications. So if we talk about a single sign on application, if we talk about HR management system, erp and the list can go on and on depending on what type of businesses you are in. As such, any compromise of the physical infrastructure, physical security infrastructure can have some deep implications for the company. Also we're moving into more and more sensors that gather personal identifiable data on users. So we're talking here about biometrics of facial recognition, biometric templates and things related to the identity of people, their license plate, some identification number and things of that nature. And it's more and more critical that this sensitive data gets protected. And in case of any breach it can create fairly severe impact to first of all the personnel and second of all the company and its reputation.
[00:03:53] Speaker C: So you've spoken a lot around physical and cyber operating in their independent silos. Obviously now things need to integrate more and work well together. I was just literally interviewing someone before around OT versus it that they need to sort of, you know, operate a little bit more harmony. So how do you see that sort of, you know, physical side sort of working a little bit more with cybersecurity? I mean, I've previously been in security role myself and we had a physical security team, but they sat nowhere near us. So it did feel, even if it was, you know, in terms of distance, there was a gap there. But what do you sort of see? How can these sort of two teams work in tandem versus isolation?
[00:04:36] Speaker A: Well, the trend has started several years ago where IT got more and more involved into the physical security space. We've seen many examples where actually the IT department very often will have the without sign up from the IT security, physical security cannot go ahead. And we've seen many examples where the IT security actually owns a significant portion of the budget to deploy the physical security. So the time where both with work independently I think is gone. And in most organization now they have to work in tandem. The physical security team will, will choose the product, will assess the threat. They will build all the plans related to physical security, but the IT will definitely get involved to assess the threat from a cybersecurity perspective, from a data perspective. And we'll need to sign off on anything that gets deployed in their network and they go beyond just the product. They will also very often ask questions around what type of certifications do we have? Have you done penetration test in context of very high security end users, we've seen them also request that they perform their own penetration tests on our solutions and our products to make sure that they meet the highest standards that they have. So there is more and more interaction. And I don't think approaching physical security without thinking about the department is no longer a thing. I think it they're both equally important in the decision process.
[00:06:10] Speaker C: Do you think from your experience people are still approaching IT without thinking about physical and cyber sort of being like, well, you know, being on the same page.
[00:06:20] Speaker A: So people have a tendency to minimize some of those aspect. What we've seen also very often people think about cybersecurity and they believe in what we call, we like to call silver bullets. So they, they like, oh, well, I have a firewall or in certain cases my system is disconnected from the Internet, so I'm protected.
And there's many angles of attack. So minimizing the risk that your physical infrastructure pauses from a cybersecurity standpoint is very dangerous. And we see that trend is quickly changing, but we still see a lot of people that are either not seeing the risk or minimizing it. When it comes to the physical infrastructure.
[00:07:07] Speaker C: And from your experience, how, what do you think people sort of forget when it comes to like physical security?
[00:07:14] Speaker A: I think what people forget is that very simple attacks are very efficient to bridge the vast majority of organization. One of the most basic attack is default username and password. And you would be surprised about how many cameras out there in the wild still have the basic manufacturer username and password and it has never been changed. So just this simple practice is very important to secure your infrastructure. And this applies, I'm talking about cyber IP camera, but it applies to a router, it applies to really any IoT or IP devices deployed on your network. Another thing that is quite simple and that is often not done in most company is keeping your infrastructure up to date. So as threats evolve, new vulnerabilities are identified and very often manufacturers will come out with new versions of firmware to patch those vulnerabilities. And many infrastructures are not updated. So for many different reasons. One of them is that it's a complex and labor intensive task. In many cases, if you have, I don't know, 10,000 IP camera, updating the firmware on them is a daunting task. It's not something that is simple. In genetech, we've spent part of our engineering around cybersecurity, building tools to alleviate and make this kind of an automated one click update process from a firmware vault that we control. So ensuring that the firmwares that are available have been tested, vetted, and that the actual process to update the infrastructure is simple and not too expensive for customers. So changing simple username and password, making sure all of your applications are up to date, that there's no known vulnerabilities that are being deployed in use, currently in use in your infrastructure are very simple ways, but they are very effective at protecting you. Now that in itself is not enough, but if you do not have that, this is the foundation of all your protection. And if you don't do this, well, no matter what else you do, you will be very vulnerable to cyber attack and penetration attacks.
[00:09:42] Speaker C: Okay, so you want to go. You mentioned something before about, you know, manufacturing of light physical like devices. I want to use perhaps maybe like a router for example. So you would probably know better than myself. But a lot of people, when you go to like their house, like, oh, here's my WI fi, and it's like the standard syntax in which the manufacturer slash the, you know, telcos provider that you've gone and procured and then it's like, oh, here's the standard password. But then cybercriminals know that syntax in which, you know, have those SSID numbers, right? And that's intact. So I think that you're saying absolutely makes sense. So why are people just defaulting to just the standard way rather than updating it is because they just genuinely don't know they can be bothered, don't have enough time. What would you sort of attribute that to?
[00:10:32] Speaker A: Well, it depends, right. For a company, I think it's a matter of cost difficulty, visibility for homeowners. Let's say if I, we take the example of a homeowner, how often do people in their lives go to the website, let's say, of their router manufacturer to see if there's a vulnerability, if there's a firmware update, how many people have the knowledge to actually know that not changing the username and password causes a threat and that people can gain access to your home network simply by leveraging fairly simple attacks? So I think there's a knowledge gap and if I switch back to, let's say the corporate world, it's really down to visibility and how easy it is to do, right? If you don't have an easy way to update all of your IoT infrastructure, to monitor it, to track the vulnerabilities in a simple manner, update them, you're simply not going to do it. Then it becomes a cost benefit and you will accept the risk. You'll say, okay, how probable is it that I'm going to get attacked versus how much it's going to cost me to keep my, my maintenance up to date. There was some example of some cyber attack in the US where there was a fairly large amount of user record that were compromised.
And this happened because the IT department of a large corporation decided, let's wait to deploy the updates, to combine it with another update in order to reduce our costs. And during the three months it took them to update to the latest, there was a vulnerability that was exploited and millions of records were stolen. So it's important to do it in a timely manner, but it's a very expensive and labor intensive task depending on how you are organized. It's something we need to do as a community. I'M talking the physical security community to make it easy for people to do the right thing and to make sure that they have better visibility as to the threat that their infrastructure is posing and making it as easy as possible for them to update their infrastructure and close potential threats.
[00:12:48] Speaker C: Defining this a little bit more on example the router for you know, on not necessarily being secure, people just sort of of, you know, defaulting to the default settings. I've asked the question historically to people around while why aren't the manufacturers like trying to make it more secure? And then the question is well sure, but one, they're not going to be as profitable because it's going to cost more money and if they were to do that they're going to then push those costs onto the consumers. So do you think we'll ever get to the stage where we are manufacturing better slash, more secure devices with the intent of well perhaps we don't have the problem, you know, down, down the road and we're not kicking that can down the road. Do you think we'll ever get there though? And then also do you think that any of these sort of, you know, on the physical hardware side of things, do you think it ever be more so regulated where this has to be a thing that companies do? What are your thoughts then on that?
[00:13:39] Speaker A: Yeah, I definitely think we're moving towards there. The industry as a whole needs to, to, to increase the level of practice and produce better secured devices. There's many ways of doing this. Sign firmware with technology example, making sure you have a TPN switch that signs your hardware, ensuring that this is the original hardware from the manufacturer. There is a component of cost to it. But I do not think there is any choice that we need to evolve there. The ransomware, the data theft are costing a lot of money to the society and to the end user and reputational damage. I've seen some ransomware attack where some end users had to pay millions of dollars to pirates because they couldn't operate anymore and they had no choice. The pirates came in and they just encrypted the entire server and they, they didn't have time to fix it or rebuild their infrastructure so they had no choice to pay for it. So it's very costly now I'm not going to lie to say that cost is still a very important factor in our industry and I've seen a lot of end users take unsecured devices. I'm going to again take an example of IP based camera. So they will take unreliable IP cameras because they are way more cheaper than I would say more reliable options. They don't perceive the risk that those devices can pass to their infrastructure.
A good example I can give you is in Europe we had a fairly critical infrastructure that went for a state owned camera vendors that is really non secured. And in 2017 Genetech, as a business we took the decision to ban certain devices that we deem unsecured from state owned. And in that particular case that end user was trying to force our hand and say no, we have selected those IP cameras and you need to integrate them into your product or we will pass the project and we will not be using genetech in our infrastructure. After a deliberation we decided to pass on the deal and we decided not to compromise on cybersecurity. And what happened to that site is several months later, it's a fairly large installation, we're talking thousands of IP camera. All the infrastructure contacted China at the same time and it was detected by the threat intrusion. And they contacted us again asking us what could be done to prevent those cameras from going outside. We advised them that the only options that they had was to replace the camera because they are not secured devices. And ultimately that, that that end user came back to genetech, switched back their entire infrastructure to replace every single IP cameras that they deployed to more secure and more trusted vendors they put in Genetech. So since then they're still an end user of ours. So saving money on that initial IP camera deployment seemed like a good deal to them. But ultimately and it ended up costing them a lot more in the long term and they were very afraid that when they saw all those camera contacting China it increased their awareness that this posed a real threat to their infrastructure if they would have been hacked in this context, they have not been hacked. It could have posed significant business risk to them. So then they started realizing that the risk that unsecured infrastructure is pausing to their business greatly outweighs the cost or the cost of the infrastructure itself. We've seen more and more governments, I think the five AR countries, so us, Canada, uk, Australia and New Zealand have come together and they've started expelling some of those untrusty devices from critical and government infrastructure because they really posed threat to national security and they also pose threat to those critical infrastructure for cybersecurity attacks. So I think there is more and more awareness coming from all sides, end users, from governments and us as an industry in physical security. We need to continue to push that narrative that you know, cybersecurity is very important and it cannot be looked in isolation to physical security. They go hand in hand. We need to elevate the bar I think in our, in our industry.
[00:18:31] Speaker C: So just going with your example a bit more, would you say that was definitely the case for the Huawei deployment from everything you're saying?
[00:18:39] Speaker A: No, it was a camera vendor, it wasn't Huawei, it was Hyde vision.
[00:18:43] Speaker C: No, I know, but I'm saying that the same like, well, you know, the obviously Chinese vendor and then they were worried about, you know, national security. That was the same sort of concerns for Huawei.
[00:18:54] Speaker A: The thing is for us it's not about Chinese vendor, it's about state owned vendors. Huawei is definitely one of them. And Huawei is not supported within genetech. So you cannot connect a Huawei product to the Genetech software. It's a notion of state ownership and it's a notion of unsecured devices and it's a mix of both when it comes to those types of devices.
[00:19:21] Speaker C: Would you say that probably in recent time or recent years is anything in terms of any product coming from certain regions, governments in Australia perhaps are just really concerned like going even that extra mile, you know, even look at the sanctions for example, like obviously that was, you know, related to a specific war. But even when that sort of came out, we started to see sanctions implemented across different parts of the world. And I believe there was a security vendor because firstly they got impacted by that. Now whether they were related or weren't related, that's other people's, you know, opinions. But just a result of them being a Russian based security company, they were basically banned. Are you starting to see that more happening though? Of just depends on where some of these companies are located. Is this an immediate ban?
[00:20:16] Speaker A: I think there's more and more awareness about the threats that those state owned companies can pause. Will some people ban it based solely on, oh, it's Russian or it's Chinese, let's ban it maybe. But I, I, I don't think that's necessarily going to be the case, but I think some people are very concerned about, we saw the, the war in Ukraine when, when Russia started the war in Ukraine and there's been a lot of activities on the cyber front when it comes to that war, up to hacking unsecured camera devices deployed in cities by Russian secret services to see when they sent their initial waves of missile. Did we miss the target? Did we hit the target? Where did the missile hand? You can also hack those devices, start doing denial service attack, so you can really bring down some critical infrastructure So I think from a governmental standpoint there will definitely be more regulations around this and more concerns. Yesterday I read in the news that the Canadian government started banning part of TikTok in Canada based on cyber on national security grounds. And I think we'll see more and more of that. Now from a business standpoint, it really depends on what type of business you have. I think if you take small retail shop it might be more difficult for them to start banning some of those lower cost product because the cost component will not go away. I don't think the cost component will go away. Let's say in the context of a Russian like let's say a Russian antivirus product. Are people comfortable, should banks be comfortable with this? Should government agency be comfortable with this? I'll let them decide. But, but for us at genetech we took a strong stance against state owned enterprise and especially if they are linked to military or secret services.
[00:22:21] Speaker C: Those are great points and I think that, and I asked that question because like you're right on the, you know, the state side of it in terms of state ownership it was just more so what I'm seeing come up a lot in the media and just like commentary just even just someone just being based in certain regions is like automatic. No, probably that's been also backed up by current world affairs that's happened the last few years. There's probably a lot being stemmed from that in terms of the decision would you say? So like moving forward with things that are going on in the world. There was a very large election this week so do you think things are still going to progress in that direction around your state owned one thing? Just certain parts of the world we will start to see like countries like Australia for example just completely banning it altogether because of the risk or the, you know, the potential risk that some of these, you know, certain areas in the world pose. Perhaps like it's. I've seen it come through more and more in recent times.
[00:23:19] Speaker A: There's a few things here. First is a significant portion of attacks are coming from insider threats. So I'm going back to nationality here. So as a company, especially large organization, your own employees can pause a significant threat to your own infrastructure. So it's not always going to be external agent, it can be internal agent. And those attacks can be as simple as simply plugging an infected USB device in one of your computer at work. And from that infected devices the your network gets compromised and people start infecting your network and whatever they're trying to achieve penetrating your infrastructure. So the Background on employee the high assurance of identities of employee is very important.
And as part of cybersecurity we've been talking a lot about technology.
But an important aspect to protect yourself I think is it has to do with policies and governance. When it comes to policies and governance to protect yourself effectively, I think where you are in the world matters a lot. So a good example is let's say you are allowed to approve, I don't know, a million dollars of expense in your company because you're the CFO of the companies. Well, maybe you can approve that million dollar if you're sitting in your office. But maybe if you're traveling to China or you're on a business trip to Indonesia, maybe your approval rating becomes, I don't know, 5,000 or maybe it's zero depending on the country. So where you are from I think is an important aspect that needs to be taken into consideration. I think it's going to evolve to something more dynamic.
Especially trying to identify unusual patterns like why is this person approving this type of expense from this area. This seems unusual. So that entire policies and governance around, around your activity is a very important aspect. There was, I don't know if, if you read it, but I think it was a year ago or two years ago there was a deep fake attack in Hong Kong from an Hong Kong bank. And they use real time deep fake technology and they simulated the CFO of a large bank with two staff from that same bank and they called the person to convince them to transfer at the time it was 200 million Hong Kong dollar to another account.
The employee did the transfer because the deepfake attack had the real face of the CFO and the real voice of the cfo. And it was a live call with two additional people saying that they approve and that they, they authorize. It's for a special project, it's super urgent and the person transferred the money. So the first question is, there's a few questions coming from this. How do you protect yourself from such an attack? Because it, it was very convincing and we can't blame the employee of doing this. So for me it becomes a matter of governance. Like how can you transfer $200 million? There should be proper check and balances to make sure that there's. It's a real project and approval from Known I known email address Known known tools within the company. It, it gets very complicated very fast. So where people are coming from or where those state agents are is important. But I think in the context of governance, in the context of Policies.
[00:27:04] Speaker C: Yes, I did. I did see that incident. I read about that incident. That was quite prolific, I think in terms of, in the media on what was going on, which I think sort of set the scene of what's yet to come.
So I'm going to switch gears slightly and I want to get your thoughts on physical security sort of being a little bit more secure and following this talk track a bit. So do you think people just expect physical security devices to just be secure, kind of like turning on the electricity? Like you don't really think about how it works, you just know it turns on, but when it doesn't turn on, you've got a problem. SUSE has developed a pledge to ensure that security is sort of built in more from like a software perspective. But what do you think we can learn from that pledge? It was developed in the, in the U.S. so do you, is there anything that we can take from that pledge that can be sort of implemented into the physical sort of device side of things?
[00:28:05] Speaker A: Yes, definitely. People tend to minimize the risk. So we've seen, I've seen this quite a lot in dealing with end users nsis where we explain to them the risk paused by certain devices. People either minimize the risk or it's a cost component. But they decide to accept that risk and then they, they think that the way their infrastructure will protect them so they have a good firewall or some say no, my system is disconnected from the Internet, so I'm secured. And the, they tend to believe that they have a silver bullet that protects them and don't see the evolving nature of cybersecurity threats and how important it is to choose a device. And we like to advise our customers that they should adopt a defense in depth strategy when it comes to cybersecurity. And as part of that defense in depth, one of the layers we segmented in three layers. One of the layer is the actual technology or cyber technology layer which we're trying to educate people that cybersecurity is really not a feature. So what you described, I think some people think it's a feature and that it should come in it, but it's not a feature. Cybersecurity is something that needs to be built in at the inception of a product. It goes beyond technology. Technology is an important point, but it's also how you develop the product. It's also the best practices that you have in place and that is being followed by your engineering team. So one good example of that is are you using open source software? Well, do you track that open source do you know if there's no vulnerability in that open source? Because in today's world most application use a lot of those open source, they interact a lot with different various APIs and SDKs and all of these can pose a threat. So you will buy product from a company, let's say company A, and they're in that, in that product there's 20 different open source software that you're not exposed to and that you will not know they pose a threat to you. So I think as an industry like building product secure from the inception of the product and through the entire life cycle of the product, it's not just when you release a product, it's done. And my product cybersecure, I tick the feature box and it's good. I think it's something that require constant vigilance, constant communication. And as a manufacturer we need to communicate any vulnerabilities very rapidly in a very honest and transparent manner and provide the fixes in a very short time frame. So you are right. I think people expect it to work out of the box, but that's not the case. Even if it's a good product, there needs to be constant vigilance around it. People tend to minimize the risk and there's a cost factor where people tend to just accept the risk because they simply don't want to spend the money. And I think this is ill advice because a cybersecurity incident can be very damaging to a business, very costly and very bad for reputation. So and then in case of government it can be even worse than that.
[00:31:38] Speaker C: So, so I'm just curious to know. So I mean you raise a great point. You know, security by design, you know, defense in depth. Why is it now as a community, society, whatever you want to call it, is any thinking about oh well, maybe we should look at the manufacturing, the security element of that. Why wasn't that ever considered initially when creating for example a router? Is it because it just came down to it was cheaper to cut corners, no one thought about it. What do you think went up? What happened there?
[00:32:07] Speaker A: Implementing proper cybersecurity processes, developing proper secured products from a cybersecurity standpoint is not an easy task. It's very difficult, it requires more effort to do. It requires also a lot of knowledge. So there is a definitely a knowledge component. So when it comes to physical security, I think there was a knowledge gap for many vendors throughout the years simply on how to properly secure the cost component, organizational component, you need to have full time teams that are really just focused on Cybersecurity because you can never rest.
It's constantly evolving.
You always need to be very careful monitoring, doing product modification. So I think it's more than just a technology play, it's a knowledge play, it's a process play and it's not easy to do. It's a very complex, it's very complex to implement. And I read a study two years ago in Asia. One of the biggest problem most end users face is a lack of talent and knowledge when it comes to cybersecurity. They cannot hire enough people. There's simply not enough people available to fill all the position required to secure the infrastructure and we can't train the people fast enough. So the technology needs to evolve to make this easier. It also explains a part of the push to cloud and some people are simply going to third party consultants when it comes to their IP infrastructure because they can't manage it internally. It's, it's a very daunting task. We see in Australia, especially the government, making a very strong push for critical infrastructure with IRAP and essential aid. So IRAP is a very complete cybersecurity guideline where we're in the process of, of making all of our product compliant, our cloud product compliant to irap, where we gotta have explain all the tools, processes that we have in place, all the technologies that we have as part of our products and it's gonna be audited by an independent auditor and we're gonna be able to provide a report to the IT departments of the various end users and then they're going to be able to leverage that report and do a risk assessment based on their specific realities and the, the various, the various practices that we have. And it will allow them to better select, I would say, the vendors for which they're going to interact with when it comes to software and various devices.
[00:34:59] Speaker C: So, Leon, do you have any closing comments or final thoughts you'd like to leave our audience with today?
[00:35:05] Speaker A: For many years the physical security space has not taken cybersecurity seriously enough. I would say we've been working very hard to raise awareness at all levels. So within the community, so with our old tech partners, we have a lot of discussion on how we can make mutual products more secure and elevate the cybersecurity practice. Within the physical security space, we've also been raising awareness, government end users and at every type of events that we do, we're trying to raise awareness around cybersecurity and the threat that they paused. There's a lot of education that that needs to be to be done. I would invite anyone listening to this podcast to think about their own policies. Company should have strong policies around it and interact with vendors that have strong policies. They should have evaluation of the technologies and the partners that they're going to bring in to their companies and make sure that they have proper policies in place when it comes to cybersecurity and that they should only interact with trusted vendors according to their own guidelines. The threats are constantly evolving. The only way that they can make their infrastructure secure is by working with trusted partners and having constant vigilance and not assuming that what they're doing today is secure and be appraised of threats. Start with the simple things like changing username, passwords, making sure the infrastructure is up to date. Just that is already going to be something big to help elevate, I would say, the level of protection we have in rng.
[00:37:04] Speaker B: This is kabcast, the Voice of Cyber.
[00:37:08] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:37:17] Speaker B: This episode is brought to you by MercSec. Your smarter route to security talent MrKsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand Talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
